#
1.7 |
|
10-Sep-2018 |
henning |
in pf_syncookie_validate, return early if we don't have syncookies in flight that can possibly match. there is a tiny but existing chance that a sequence number matches w/ our hash and we'd end up dropping traffic. unclear whether that has actually happened since the report chain is long :) report via haesbert via bluhm; ok bluhm
|
#
1.6 |
|
18-Jun-2018 |
procter |
Refactor the six ways to find TCP options into one new function. As a result: - MSS and WSCALE option candidates must now meet their min type length. - 'max-mss' is now more tolerant of malformed option lists. These changes were immaterial to the live traffic I've examined. OK sashan@ mpi@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.5 |
|
08-Feb-2018 |
henning |
make the watermarks/thresholds for entering and leaving syncookie mode when syncookies are set to adaptive tunable, ok claudio benno
|
#
1.4 |
|
08-Feb-2018 |
henning |
add DIOCGETSYNFLWATS to get current synflood detection watermarks, ok claudio benno procter
|
#
1.3 |
|
07-Feb-2018 |
henning |
provide counters for # of synfloods detected, # of syncookies sent, # of syncookies successfuly validated, ok phessler
|
#
1.2 |
|
07-Feb-2018 |
dlg |
unbreak strict alignment archs by using SIPHASH_KEY for siphash keys, not uint8_t array.
found by sparc64.
probably ok henning@, but he's at coffee
|
#
1.1 |
|
06-Feb-2018 |
henning |
syncookies implementation to be used in pf, based on the FreeBSD one by Andre Oppermann, heavily adjusted for pf instead of stack use and with entirely rewritten timeout machinery and new hashing with bits from sashan, widely discussed with the other network hackers
|
#
1.6 |
|
18-Jun-2018 |
procter |
Refactor the six ways to find TCP options into one new function. As a result: - MSS and WSCALE option candidates must now meet their min type length. - 'max-mss' is now more tolerant of malformed option lists. These changes were immaterial to the live traffic I've examined. OK sashan@ mpi@
|
Revision tags: OPENBSD_6_3_BASE
|
#
1.5 |
|
08-Feb-2018 |
henning |
make the watermarks/thresholds for entering and leaving syncookie mode when syncookies are set to adaptive tunable, ok claudio benno
|
#
1.4 |
|
08-Feb-2018 |
henning |
add DIOCGETSYNFLWATS to get current synflood detection watermarks, ok claudio benno procter
|
#
1.3 |
|
07-Feb-2018 |
henning |
provide counters for # of synfloods detected, # of syncookies sent, # of syncookies successfuly validated, ok phessler
|
#
1.2 |
|
07-Feb-2018 |
dlg |
unbreak strict alignment archs by using SIPHASH_KEY for siphash keys, not uint8_t array.
found by sparc64.
probably ok henning@, but he's at coffee
|
#
1.1 |
|
06-Feb-2018 |
henning |
syncookies implementation to be used in pf, based on the FreeBSD one by Andre Oppermann, heavily adjusted for pf instead of stack use and with entirely rewritten timeout machinery and new hashing with bits from sashan, widely discussed with the other network hackers
|
#
1.5 |
|
08-Feb-2018 |
henning |
make the watermarks/thresholds for entering and leaving syncookie mode when syncookies are set to adaptive tunable, ok claudio benno
|
#
1.4 |
|
08-Feb-2018 |
henning |
add DIOCGETSYNFLWATS to get current synflood detection watermarks, ok claudio benno procter
|
#
1.3 |
|
07-Feb-2018 |
henning |
provide counters for # of synfloods detected, # of syncookies sent, # of syncookies successfuly validated, ok phessler
|
#
1.2 |
|
07-Feb-2018 |
dlg |
unbreak strict alignment archs by using SIPHASH_KEY for siphash keys, not uint8_t array.
found by sparc64.
probably ok henning@, but he's at coffee
|
#
1.1 |
|
06-Feb-2018 |
henning |
syncookies implementation to be used in pf, based on the FreeBSD one by Andre Oppermann, heavily adjusted for pf instead of stack use and with entirely rewritten timeout machinery and new hashing with bits from sashan, widely discussed with the other network hackers
|
#
1.3 |
|
07-Feb-2018 |
henning |
provide counters for # of synfloods detected, # of syncookies sent, # of syncookies successfuly validated, ok phessler
|
#
1.2 |
|
07-Feb-2018 |
dlg |
unbreak strict alignment archs by using SIPHASH_KEY for siphash keys, not uint8_t array.
found by sparc64.
probably ok henning@, but he's at coffee
|
#
1.1 |
|
06-Feb-2018 |
henning |
syncookies implementation to be used in pf, based on the FreeBSD one by Andre Oppermann, heavily adjusted for pf instead of stack use and with entirely rewritten timeout machinery and new hashing with bits from sashan, widely discussed with the other network hackers
|